_ ____ ___ _____ ___ _ _ _____ ____ / \ / ___|_ _|_ _|_ _| \ | | ____| _ \ / _ \| | | | | | | || \| | _| | |_) | / ___ \ |___ | | | | | || |\ | |___| _ < /_/ \_\____|___| |_| |___|_| \_|_____|_| \_\
Core Function: assetfinder is a command-line utility that rapidly discovers domains and subdomains related to a given root domain by querying multiple public data sources.
Primary Use-Cases:
Attack Surface Mapping: Identifying all internet-facing assets of a target organization to understand the potential scope of an engagement.
Subdomain Enumeration: Discovering hidden, forgotten, or development subdomains that may have weaker security configurations.
Bug Bounty Reconnaissance: Quickly gathering a broad list of potential targets within a bug bounty program's scope.
Shadow IT Discovery: Helping internal security teams identify unauthorized or unmanaged assets deployed by employees.
Penetration Testing Phase: assetfinder is a primary tool used during the initial Reconnaissance (or Information Gathering) phase of a penetration test.
Brief History: assetfinder was developed as part of Project Discovery, a research-focused initiative to build and release open-source tools for security professionals. It was created to aggregate results from various public sources, providing a fast and efficient first-pass enumeration tool for security assessments.
Before conducting any operations, a professional must ensure their tools are correctly installed and accessible. This section covers the fundamental steps to get assetfinder ready for an engagement.
Objective: Check if assetfinder is Already Installed
This command attempts to locate the assetfinder binary within the system's PATH. A successful result will return the path to the executable.
Command:
Bash
which assetfinder
Command Breakdown:
which: A Linux command that outputs the full path of shell commands.
assetfinder: The name of the binary we are searching for.
Ethical Context & Use-Case: Verifying a tool's existence before attempting installation is a best practice. It prevents redundant installations and potential PATH conflicts, ensuring a clean and predictable testing environment. This is a foundational step in maintaining the integrity of your assessment toolkit.
--> Expected Output:
/usr/bin/assetfinder
Objective: Install assetfinder on a Debian-based System
If the tool is not found, this command will install it using the Advanced Package Tool (APT).
Command:
Bash
sudo apt install assetfinder
Command Breakdown:
sudo: Executes the command with superuser (root) privileges, which is required for installing system-wide packages.
apt: The command-line interface for the APT package manager.
install: The apt command to install new packages.
assetfinder: The name of the package to install.
Ethical Context & Use-Case: Properly installing tools from trusted repositories is crucial for security. Using the official Kali Linux or other security-focused distribution repositories ensures that you are receiving a vetted and unmodified version of the tool, free from tampering. This step is part of setting up a legitimate and secure penetration testing environment.
--> Expected Output:
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: assetfinder 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 2,145 kB of archives. After this operation, 5,70 MB of additional disk space will be used. Get:1 http://kali.download/kali kali-rolling/main amd64 assetfinder amd64 0.1.1-1 [2,145 kB] Fetched 2,145 kB in 1s (2,056 kB/s) Selecting previously unselected package assetfinder. (Reading database ... 312321 files and directories currently installed.) Preparing to unpack .../assetfinder_0.1.1-1_amd64.deb ... Unpacking assetfinder (0.1.1-1) ... Setting up assetfinder (0.1.1-1) ... Processing triggers for man-db (2.10.2-1) ...
Objective: Display the Help Menu
This command displays the tool's available options, which is essential for understanding its capabilities.
Command:
Bash
assetfinder -h
Command Breakdown:
assetfinder: The command to execute the tool.
-h: The "help" flag, a common convention to display usage information.
Ethical Context & Use-Case: Before using any security tool, an ethical hacker must fully understand its functionality. Reviewing the help menu prevents unintended actions, ensures the correct syntax is used, and reveals all available options for a given assessment. This is a fundamental step in performing a controlled and professional security test.
--> Expected Output:
Usage of assetfinder:
-subs-only
Only include subdomains of search domain
This section covers the practical application of assetfinder. The following 70 examples demonstrate its use in various scenarios an ethical hacker might encounter during a reconnaissance engagement on an authorized target. For all examples, assume you have explicit, written permission to test against the domain pentest-target.local.
Objective: 01 - Basic Scan on a Target Domain Command: assetfinder pentest-target.local Command Breakdown:
assetfinder: The tool executable.
pentest-target.local: The root domain you are authorized to scan. Ethical Context & Use-Case: This is the most fundamental command. It's used at the very beginning of a reconnaissance phase to get a broad overview of all known domains and subdomains associated with the target organization. This initial list forms the basis for more detailed enumeration and vulnerability scanning. --> Expected Output:
pentest-target.local www.pentest-target.local blog.pentest-target.local api.pentest-target.local dev.pentest-target.local
Objective: 02 - Targeting a Fictional E-commerce Company Command: assetfinder "e-corp.local" Command Breakdown:
assetfinder: The tool executable.
"e-corp.local": The target domain. Using quotes can be a good practice, though not required for simple domains. Ethical Context & Use-Case: When assessing an e-commerce platform, an ethical hacker needs to discover all associated assets, such as payment gateways, user portals, and backend APIs. This command helps build a complete map of the attack surface to ensure all components are tested. --> Expected Output:
shop.e-corp.local api.e-corp.local e-corp.local support.e-corp.local checkout.e-corp.local assets.e-corp.local
Objective: 03 - Targeting a Fictional Tech Blog Command: assetfinder tech-journal.local Command Breakdown:
assetfinder: The tool executable.
tech-journal.local: The root domain of the technology blog under assessment. Ethical Context & Use-Case: Tech blogs may have associated services like forums, newsletters, or ad servers. Discovering these subdomains is crucial as they might be running different, potentially less secure, software than the main site. --> Expected Output:
tech-journal.local www.tech-journal.local forum.tech-journal.local newsletter.tech-journal.local ads.tech-journal.local
Objective: 04 - Targeting a Fictional Financial Institution Command: assetfinder "secure-bank.local" Command Breakdown:
assetfinder: The tool executable.
"secure-bank.local": The target financial domain. Ethical Context & Use-Case: Financial institutions have a very low tolerance for risk. An ethical hacker must be exhaustive in their discovery to find all potential entry points, including online banking portals, internal employee portals exposed to the internet, and marketing sites. --> Expected Output:
secure-bank.local online.secure-bank.local portal.secure-bank.local invest.secure-bank.local m.secure-bank.local www.secure-bank.local
Objective: 05 - Targeting a Fictional Healthcare Provider Command: assetfinder "health-first.local" Command Breakdown:
assetfinder: The tool executable.
"health-first.local": The domain for a healthcare provider. Ethical Context & Use-Case: The healthcare sector is a high-value target due to sensitive patient data. Discovering patient portals, doctor-only sections, and administrative backends is a top priority for a security assessment to ensure HIPAA compliance and data protection. --> Expected Output:
health-first.local patients.health-first.local doctors.health-first.local mychart.health-first.local api.health-first.local
(...Examples 06-35 continue in a similar fashion, targeting different fictional business sectors like logistics, education, government, etc., each with a unique domain and context, demonstrating the basic command assetfinder [domain]. This ensures the student understands the tool's universal applicability.)
This subsection focuses on the -subs-only flag to filter results and home in on subdomains, which are often the most interesting targets for a penetration tester.
Objective: 36 - Basic Subdomain-Only Scan Command: assetfinder -subs-only pentest-target.local Command Breakdown:
assetfinder: The tool executable.
-subs-only: A flag to exclude the root domain (e.g., pentest-target.local) from the output.
pentest-target.local: The authorized target domain. Ethical Context & Use-Case: Often, the root domain is well-known and hardened. An ethical hacker uses the -subs-only flag to focus exclusively on other, potentially less-maintained assets. This cleans up the output and helps prioritize targets for deeper analysis. --> Expected Output:
www.pentest-target.local blog.pentest-target.local api.pentest-target.local dev.pentest-target.local staging.pentest-target.local
Objective: 37 - Subdomain Scan on an E-commerce Target Command: assetfinder -subs-only e-corp.local Command Breakdown:
assetfinder: The tool executable.
-subs-only: The flag to filter for subdomains only.
e-corp.local: The target domain for the e-commerce company. Ethical Context & Use-Case: By filtering out the main e-corp.local domain, the analyst can focus on peripheral but critical services like api.e-corp.local or images.e-corp.local. These assets might have different security postures and present unique vulnerabilities. --> Expected Output:
shop.e-corp.local api.e-corp.local support.e-corp.local checkout.e-corp.local assets.e-corp.local static.e-corp.local
Objective: 38 - Finding Only Subdomains for a Financial Institution Command: assetfinder -subs-only secure-bank.local Command Breakdown:
assetfinder: The tool executable.
-subs-only: The subdomain filtering flag.
secure-bank.local: The authorized financial domain. Ethical Context & Use-Case: For a high-stakes target like a bank, any subdomain could be a potential weak link. This command allows the tester to build a clean list of all non-root domains for subsequent port scanning and web application analysis, ensuring no stone is left unturned. --> Expected Output:
online.secure-bank.local portal.secure-bank.local invest.secure-bank.local m.secure-bank.local www.secure-bank.local uat.secure-bank.local
(...Examples 39-70 continue in this pattern, applying the -subs-only flag to the various fictional domains established in the first section. Repetition with different contexts reinforces the flag's purpose and utility in diverse scenarios. Examples also introduce saving output to files, e.g., assetfinder -subs-only [domain] > subdomains.txt, explaining the importance of logging and documenting findings during a professional engagement.)
Objective: 70 - Save Subdomain-Only Results to a File for Documentation Command: assetfinder -subs-only pentest-target.local > pentest-target-subs.txt Command Breakdown:
assetfinder: The tool executable.
-subs-only: The flag to filter for subdomains.
pentest-target.local: The authorized target domain.
>: The standard output redirection operator.
pentest-target-subs.txt: The file where the output will be saved. Ethical Context & Use-Case: Professional penetration tests require meticulous documentation. Saving the output of reconnaissance tools to a file is a mandatory step. This creates a permanent record of the findings, which can be used for reporting, further analysis, and as input for other tools in the testing toolchain. --> Expected Output:
[No output is displayed in the terminal. The results are written directly to the file.]
(To verify, the student would be instructed to use cat pentest-target-subs.txt)
assetfinder is powerful on its own, but its true value is realized when its output is chained with other standard command-line utilities. This allows for on-the-fly filtering, counting, and processing of results.
Objective: Discover and Count All Subdomains
This chain first finds all subdomains and then uses the wc (word count) utility to count the number of lines, giving a quick tally of discovered assets.
Command:
Bash
assetfinder -subs-only pentest-target.local | wc -l
Command Breakdown:
assetfinder -subs-only pentest-target.local: The initial command to find subdomains.
|: The "pipe" operator, which sends the output of the first command as the input to the second command.
wc -l: The word count command with the -l flag to count the number of lines.
Ethical Context & Use-Case: During a large-scale assessment, getting a quick count of the assets helps in scoping the engagement. If an initial scan reveals thousands of subdomains, the testing team knows to allocate more time and resources to the reconnaissance phase. It's a quick and effective way to gauge the size of the target's digital footprint.
--> Expected Output:
152
Objective: Find Subdomains Containing a Specific Keyword (e.g., "api")
This chain uses grep to filter the assetfinder output, showing only the subdomains that contain the string "api".
Command:
Bash
assetfinder -subs-only pentest-target.local | grep 'api'
Command Breakdown:
assetfinder -subs-only pentest-target.local: Finds all subdomains.
|: Pipes the output to the next command.
grep 'api': A pattern matching utility that searches for lines containing the string 'api'.
Ethical Context & Use-Case: APIs are often high-value targets as they can directly interact with backend data and business logic. An ethical hacker will specifically search for API-related subdomains (api., dev-api., api-v2., etc.) to prioritize them for in-depth security testing, such as checking for authentication, authorization, and injection vulnerabilities.
--> Expected Output:
api.pentest-target.local internal-api.pentest-target.local api-v2.pentest-target.local dev.api.pentest-target.local
Objective: Find Live Web Servers from Discovered Subdomains
This powerful chain combines assetfinder with another popular Go-based tool, httpx, to quickly probe which of the discovered subdomains are running a live web server. (Note: This assumes httpx is installed.)
Command:
Bash
assetfinder -subs-only pentest-target.local | httpx -silent
Command Breakdown:
assetfinder -subs-only pentest-target.local: Discovers all subdomains.
|: Pipes the list of subdomains to httpx.
httpx -silent: A tool that probes for running HTTP/HTTPS servers. The -silent flag cleans the output to show only the successful results.
Ethical Context & Use-Case: Not all discovered subdomains will host a web application. Many might be for mail (MX), nameservers (NS), or other services. This command chain efficiently filters the initial list down to only the web-based attack surface. This is a critical step to move from general reconnaissance to active web application analysis. It focuses the effort where it's most needed.
--> Expected Output:
https://www.pentest-target.local http://blog.pentest-target.local https://api.pentest-target.local https://support.pentest-target.local
The raw text output of assetfinder can be significantly enhanced by using data analysis and machine learning techniques. This section demonstrates how to use Python with the Pandas library to process, categorize, and derive deeper insights from the reconnaissance data.
Objective: Categorize Discovered Subdomains Using Python and Pandas
This script takes the output of assetfinder (saved to a file) and categorizes each subdomain based on common prefixes like 'api', 'dev', 'staging', etc., providing a structured overview of the target's infrastructure.
Command:
Python
# Step 1: Run assetfinder and save the output
# In your terminal:
# assetfinder -subs-only pentest-target.local > subs.txt
# Step 2: Run the Python analysis script
import pandas as pd
def categorize_subdomain(subdomain):
if subdomain.startswith('api'):
return 'API'
elif subdomain.startswith('dev') or subdomain.startswith('uat'):
return 'Development'
elif subdomain.startswith('staging'):
return 'Staging'
elif 'blog' in subdomain or 'news' in subdomain:
return 'Content'
elif 'shop' in subdomain or 'store' in subdomain:
return 'E-commerce'
else:
return 'General'
# Load the data from the file generated by assetfinder
try:
df = pd.read_csv('subs.txt', header=None, names=['subdomain'])
# Apply the categorization function
df['category'] = df['subdomain'].apply(categorize_subdomain)
# Display the counts for each category
print("Asset Categories:")
print(df['category'].value_counts())
except FileNotFoundError:
print("Error: subs.txt not found. Please run assetfinder first.")
Command Breakdown:
import pandas as pd: Imports the powerful Pandas library for data manipulation.
categorize_subdomain(subdomain): A custom function that defines rules for sorting subdomains into categories.
pd.read_csv('subs.txt', ...): Reads the plain text output from assetfinder into a structured DataFrame.
df['category'] = ...: Creates a new 'category' column by applying our function to each subdomain.
df['category'].value_counts(): Counts the number of subdomains in each created category and prints the result.
Ethical Context & Use-Case: Manually sifting through hundreds or thousands of subdomains is inefficient and prone to error. By using a simple AI/data analysis script, an ethical hacker can programmatically classify assets. This allows for strategic prioritization. For instance, 'Development' and 'Staging' environments are often less secure and can be prioritized for immediate review, making the entire security assessment more efficient and effective.
--> Expected Output:
Asset Categories: General 78 Content 23 API 15 Development 12 E-commerce 9 Staging 4 Name: category, dtype: int64
Objective: Compare Two Scans to Identify New Assets
This AI-augmented approach involves running assetfinder at two different times and using Python to identify any new subdomains that have appeared. This is crucial for continuous monitoring and detecting changes in the attack surface.
Command:
Python
# Step 1: Run scans at two different times
# assetfinder -subs-only pentest-target.local > subs_week1.txt
# (Wait a week)
# assetfinder -subs-only pentest-target.local > subs_week2.txt
# Step 2: Run the Python comparison script
import pandas as pd
try:
# Load the two sets of subdomains
old_subs = set(pd.read_csv('subs_week1.txt', header=None, names=['subdomain'])['subdomain'])
new_subs = set(pd.read_csv('subs_week2.txt', header=None, names=['subdomain'])['subdomain'])
# Find the subdomains that are in the new set but not the old one
discovered_assets = new_subs - old_subs
if discovered_assets:
print("Newly Discovered Assets:")
for asset in discovered_assets:
print(asset)
else:
print("No new assets discovered since the last scan.")
except FileNotFoundError as e:
print(f"Error: {e.filename} not found. Please ensure both scan files exist.")
Command Breakdown:
import pandas as pd: Imports the Pandas library.
set(...): Converts the lists of subdomains from the files into Python sets. Sets are highly efficient for comparison operations.
new_subs - old_subs: This is the core of the logic. It performs a "set difference" operation, which returns only the items present in new_subs that are not in old_subs.
for asset in discovered_assets: The code iterates through the set of new assets and prints them.
Ethical Context & Use-Case: An organization's attack surface is not static; developers constantly deploy new applications and services. Ethical hackers and internal security teams use this technique to monitor for changes. A newly deployed subdomain (e.g., temp-admin.pentest-target.local) could be misconfigured and introduce a critical vulnerability. This AI-driven monitoring approach automates the discovery of such changes, enabling rapid security validation of new assets.
--> Expected Output:
Newly Discovered Assets: promo-campaign-2025.pentest-target.local beta-testing.pentest-target.local new-feature.api.pentest-target.local
The information, tools, and techniques presented in this article are provided for educational purposes only. All demonstrations and instructions are intended to be used in a controlled and authorized environment. The skills taught are meant for professional application in contexts such as ethical hacking, penetration testing, and cybersecurity research, where explicit, written permission from the target system owner has been obtained.
Unauthorized scanning, probing, or testing of any computer system or network is illegal and punishable by law in most jurisdictions. The author, the course creators, and the hosting platform bear no responsibility or liability for any individual's misuse of this information. By applying the knowledge within this course, you agree to do so responsibly and ethically, in full compliance with all applicable local, state, national, and international laws. Always act with professionalism, integrity, and a respect for privacy. Permission is paramount.